US Government May Require Civilian Agencies to Address Critical Vulnerabilities Within Three Days; Are They Prepared?

While there is no official word as of yet and a decision has reportedly not been reached, inside sources at CISA say that high-level discussions about setting the time limit for remediating known critical vulnerabilities (KEVs) to just three days are taking place.

That time limit had been three weeks in most cases until recently, when it was reduced to two weeks. Developments in AI seem to have been prompting these shortening deadlines, particularly recent word about the expected capabilities of Claude Mythos in sniffing out critical vulnerabilities and helping to facilitate exploitation.

Tight deadline for critical vulnerabilities raises questions about readiness

The content of these discussions is unknown, but it’s a very safe bet that they center on the readiness level of federal agencies and whether such a slim timeframe is actually realistic at present.

The previous standard of several weeks was generally seen as more of a “tough but fair” benchmark, but fears of Mythos and similar models indexing and exploiting critical vulnerabilities within hours of publication seem to be prompting some panic. The federal government specifically has notorious issues with entrenched legacy systems that are hard to replace and hard to keep patched in a timely manner, given that extensive testing to ensure that connected components don’t break must be done each time.

Of course, there remains some question about how threatening these models will actually be. There is general agreement that Mythos will make locating unpatched critical vulnerabilities much more quick and simple, but there is considerable disagreement about how much it will contribute to attack capability from there. However, there is no question that government systems will be among the priority targets and those most frequently tested by attackers. The financial industry is similarly scrambling to ready its defenses, given the same preview access to Mythos for security testing purposes that governments are getting.

Is a three-day patch requirement even possible?

While it’s possible that new AI capabilities may make it necessary, there is serious question about whether most organizations can actually implement a three-day requirement for patching critical vulnerabilities no matter how badly needed it might be.

Some researchers feel that automation of patches and updates is the only possible way to hit this goal. This would certainly seem to apply to CISA and numerous federal agencies that have been hit with significant budget and staffing cuts over roughly the last year and a half. But all types of organizations are very likely to struggle with deploying patches and remediations at this speed without either leaving exploitable gaps or disrupting business operations in some way. For those that do not have full visibility into their attack surfaces and all of their instances well documented, it may well be impossible until that happens.

In addition to automation, organizations need to be on top of risk prioritization and their cloud security ahead of the broad-scale deployment of these new AI models. A shifting of focus to user and device identity has already been underway with the “zero trust” movement, and AI capability will likely be a strong push in the adoption of MFA and “principle of least privilege” setups.